I'm facing an issue with file uploads using Yii2 framework, but I think that question goes deeper than a framework problem. I have an app that allow the user do pdf files uploads, until here my app works fine but I'm in trouble when some smartass rename the filename extension from anything to pdf. The app isn't validating this kind of trick.
I tried without success to validate the mimetype. Now I'm looking for another way.
Anyone know how to block this kind of cheat?
Its better to keep it simple and just use this
<?php
$finfo = finfo_open(FILEINFO_MIME_TYPE);
if(finfo_file($finfo,$filename) == 'application/pdf'){
// input file is pdf
}
?>
Since you said its not working for you you can try these
if you are using a Linux server you can use the shell commands to check them mime type
<?php
function detectMimeType($filename='')
{
$filename = escapeshellcmd($filename);
$command = "file -b --mime-type -m /usr/share/misc/magic {$filename}";
$mimeType = shell_exec($command);
return trim($mimeType);
}
?>
Or you can try this method .Here we assume that Pdf file starts with a %PDF string .[usually it does start with %PDF].
<?php
function detectFileType($filename='')
{
$handle = fopen($filename, "rb");
$contents = fread($handle, 4);
fclose($handle);
if($contents == "%PDF")
{
return "application/pdf";
}
else
{
return "application/octet-stream"; //unknown type
}
}
?>
[this code is not tested ]
Refer these links you will get some more info about what went wrong
http://php.net/manual/en/function.mime-content-type.php
http://php.net/manual/en/ref.fileinfo.php
the best way is to check mime type of file :
http://php.net/manual/en/function.finfo-file.php
<?php
$finfo = finfo_open(FILEINFO_MIME_TYPE);
if(finfo_file($finfo,$filename) == 'application/pdf'){
// input file is pdf
}
finfo_close($finfo);
?>
The problem was solved using the mime_content_type function.
Check the function here php.net
This function returns the real mime type.
Related
Following this thread: PHP file upload: mime or extension based verification?
I assume that I need to check the file extension of the file that I am uploading, correct ?
I am trying to upload a binary file that results from a make file into a Raspberry using a PHP Interface.
This is the file in question:
Big_ppd_display_try1: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-armhf.so.3, for GNU/Linux 3.2.0, BuildID[sha1]=047e67dcea785cb3139bc690aebcf0d537ef40fe, with debug_info, not stripped
Following this thread: php check file extension in upload form
I can try:
$allowed = array('gif','png' ,'jpg');
$filename = $_FILES['uploaded_file']['name'];
$ext = pathinfo($filename, PATHINFO_EXTENSION);
if(!in_array($ext,$allowed) ) {
echo 'error';
}
But how do I tell PHP to only allow binary files like Big_ppd_display_try1 that have no file extension ?
Also, I am doing the upload from a Linux machine. How will that binary file look like on a Windows PC ?
To make sure file has no extension, compare it with null.
To check for mime tipe use finfo_ functions:
$filename = $_FILES['uploaded_file']['name'];
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mime = finfo_file($finfo, $_FILES['uploaded_file']['tmp_name']);
$ext = pathinfo($filename, PATHINFO_EXTENSION);
if ($ext === null && $mime === 'application/octet-stream') {
//do something
}
We can use file command if you are using linux like as bellow
$command = "file $_FILES['uploaded_file']['tmp_name']";
shell_exec($command);
It will return a string like
ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-armhf.so.3, for GNU/Linux 3.2.0, BuildID[sha1]=047e67dcea785cb3139bc690aebcf0d537ef40fe, with debug_info, not stripped
You can evaluate the data returning the file type you want with this string.
I assume that I need to check the file extension of the file that I am uploading, correct ?
No.
The file extension is an arbitrary part of the "suggested filename" which is entirely under the control of the user. The procedure you should be following is:
Inspect the contents of the file as shown in this question.
Reject the file if the detected type is not in your allowed list.
Generate your own filename to save it to:
the extension should be based on the file type determined at step 1
the rest of the name might be based on what the user suggested, but should be filtered through a whitelist of allowed characters, e.g. replacing everything other than letters and numbers with -
I don't know if this is the best resolve but I have ended up checking if the file is an application/octet-stream:
<?php
if (isset($_POST['update_button']) && $_POST['update_button'] == 'Update') {
if (isset($_FILES['uploaded_file']) &&
$_FILES['uploaded_file']['error'] === UPLOAD_ERR_OK &&
$_FILES['uploaded_file']['type'] == "application/octet-stream")
{
// print_r($_FILES);
echo "<br>Successful upload !<br> ";
} else {
echo "<br>File was not uploaded !<br> ";
}
}
?>
I have ditched checking for file extension or MIME type because I think these can be easily bypassed.
I am now trying to execute the file with a certain argument and check it's response.
This is the code I am working on now:
$fileTmpPath = $_FILES['uploaded_file']['tmp_name'];
$fileName = $_FILES['uploaded_file']['name'];
// echo "<br>$fileTmpPath"."/$fileName<br>";
$command = "sudo .$fileTmpPath"."/$fileName -argument";
echo "<br>$command<br>";
$response = exec($command, $full, $status);
if($status != 0) {
echo "<br>Something went wrong<br>";
} else {
echo "<br>$response<br>";
}
I'm trying to make a upload class with PHP. so this is my first PHP class:
//Create Class
class Upload{
//Remote Image Upload
function Remote($Image){
$Content = file_get_contents($Image);
if(copy($Content, '/test/sdfsdfd.jpg')){
return "UPLOADED";
}else{
return "ERROR";
}
}
}
and usage:
$Upload = new Upload();
echo $Upload->Remote('https://www.gstatic.com/webp/gallery/4.sm.jpg');
problem is, this class is not working. where is the problem? I'm new with PHP classes and trying to learn it.
thank you.
copy expects filesystem paths, e.g.
copy('/path/to/source', '/path/to/destination');
You're passing in the literal image you fetched, so it's going to be
copy('massive pile of binary garbage that will be treated as a filename', '/path/to/destination');
You want
file_put_contents('/test/sdfsdfg.jpg', $Content);
instead.
PHP's copy() function is used for copying files that you have permission to copy.
Since you're getting the contents of the file first, you could use fwrite().
<?php
//Remote Image Upload
function Remote($Image){
$Content = file_get_contents($Image);
// Create the file
if (!$fp = fopen('img.png', 'w')) {
echo "Failed to create image file.";
}
// Add the contents
if (fwrite($fp, $Content) === false) {
echo "Failed to write image file contents.";
}
fclose($fp);
}
Since you want to download a image, you could also use the imagejpeg-method of php to ensure you do not end up with any corrupted file format afterwards (http://de2.php.net/manual/en/function.imagejpeg.php):
download the target as "String"
create a image resource out of it.
save it as jpeg, using the proper method:
inside your method:
$content = file_get_contents($Image);
$img = imagecreatefromstring($content);
return imagejpeg($img, "Path/to/targetFile");
In order to have file_get_contents working correctly you need to ensure that allow_url_fopen is set to 1 in your php ini: http://php.net/manual/en/filesystem.configuration.php
Most managed hosters disable this by default. Either contact the support therefore or if they will not enable allow_url_fopen, you need to use another attempt, for example using cURL for file download. http://php.net/manual/en/book.curl.php
U can use the following snippet to check whether its enabled or not:
if ( ini_get('allow_url_fopen') ) {
echo "Enabled";
} else{
echo "Disabled";
}
What you describe is more download (to the server) then upload. stream_copy_to_stream.
class Remote
{
public static function download($in, $out)
{
$src = fopen($in, "r");
if (!$src) {
return 0;
}
$dest = fopen($out, "w");
if (!$dest) {
return 0;
}
$bytes = stream_copy_to_stream($src, $dest);
fclose($src); fclose($dest);
return $bytes;
}
}
$remote = 'https://www.gstatic.com/webp/gallery/4.sm.jpg';
$local = __DIR__ . '/test/sdfsdfd.jpg';
echo (Remote::download($remote, $local) > 0 ? "OK" : "ERROR");
I'm uploading images from my Android app to my server. The app uses the android camera intent and upload via PHP script is ok.
I want to verify if the uploaded files are real images, I'm not checking the extension but the mimetype (I suppose this is the best way to do it, tell me if I'm wrong).
I'm using a Slackware Linux Apache server and I'm trying this code:
....
$finfo = finfo_open(FILEINFO_MIME, '/etc/httpd/magic');
....
fwrite($fp, finfo_file($finfo, "file.jpg"));
....
But I'm getting "application/octet-stream; charset=binary" instead of "image/jpeg; charset=binary" which is given from "file -i file.jpg" (shell command).
What's the problem?
Solved using $finfo = finfo_open(FILEINFO_MIME); instead of the other line. I think the default magic file is not the same that I was specifing.
As refered on www.php.net/manual/en/ref.fileinfo.php:
<?php
function is_jpg($fullpathtoimage){
if(file_exists($fullpathtoimage)){
exec("/usr/bin/identify -format %m $fullpathtoimage",$out);
//using system() echos STDOUT automatically
if(!empty($out)){
//identify returns an empty result to php
//if the file is not an image
if($out == 'JPEG'){
return true;
}
}
}
return false;
}
?>
Alternately, if you've got execution rights and want to use a "hacky" solution, you can simply do what you've already done (using file -i path with shell_exec):
<?php
function shell_get_mime_type($path) {
if (is_readable($path)) {
$command = 'file -i "' . realpath($path) . '"';
$shellOutput = trim(shell_exec($command));
//eg. "nav_item.png: image/png; charset=binary"
if (!empty($shellOutput)) {
$colonPosition = strpos($shellOutput, ':');
if ($colonPosition !== false) {
return rtrim(substr($shellOutput, $colonPosition + 1));
}
return $shellOutput;
}
}
return false;
}
?>
Try to use function mime_content_type().
I'm creating a simple webapp my students can use to upload their projects (as a .zip file) to my server. This app takes the .zip > unzips it > displays a link to their web-project.
I'm using a php function like this, to extract the zip file:
function openZip($file_to_open) {
global $target;
$zip = new ZipArchive();
$x = $zip->open($file_to_open);
if($x === true) {
$zip->extractTo($target);
$zip->close();
unlink($file_to_open);
} else {
die("There was a problem. Please try again!");
}
}
is it possible to check the type of the files being extracted and only allow specific file types to get unzipped? Not that I don't trust my students... just want to make sure nothing malicious makes its way to my server.
my students will be uploading simple web projects, so I only want to allow .html, .css and .js (as well as image file types, and directories) to be extracted.
Check out ZipArchive::getFromName to pull just 1 file from the Zip by filename. You may also want to take a look at ZipArchive::getFromIndex
$zip = new ZipArchive;
if ($zip->open('test1.zip') === TRUE)
{
echo $zip->getFromName('testfromfile.php');
$zip->close();
}
else
{
echo 'failed';
}
You can always try finfo_file() like this:
$finfo = finfo_open(FILEINFO_MIME_TYPE);
echo finfo_file($finfo, "yourfile.zip");
finfo_close($finfo);
On the PHP website, the only real checking they suggest is using is_uploaded_file() or move_uploaded_file(), here. Of course you usually don't want user's uploading any type of file, for a variety of reasons.
Because of this, I have often used some "strict" mime type checking. Of course this is very flawed because often mime types are wrong and users can't upload their file. It is also very easy to fake and/or change. And along with all of that, each browser and OS deals with them differently.
Another method is to check the extension, which of course is even easier to change than mime type.
If you only want images, using something like getimagesize() will work.
What about other types of files? PDFs, Word documents or Excel files? Or even text only files?
Edit: If you don't have mime_content_type or Fileinfo and system("file -bi $uploadedfile") gives you the wrong file type, what other options are there?
Take a look at mime_content_type or Fileinfo. These are built-in PHP commands for determining the type of a file by looking at the contents of the file. Also check the comments on the above two pages, there are some other good suggestions.
Personally I've had good luck using something that's essentially system("file -bi $uploadedfile"), but I'm not sure if that's the best method.
IMHO, all MIME-type checking methods are useless.
Say you've got which should have MIME-type application/pdf. Standard methods are trying to find something that looks like a PDF header (%PDF- or smth. like that) and they will return 'Okay, seems like this is a PDF file' on success. But in fact this doesn't means anything. You can upload a file containing only %PDF-1.4 and it will pass MIME-check.
I mean if the file has an expected MIME-type - it will always pass the MIME-type check otherwise the result is undefined.
I assume you are going to have a fixed white-list of file-types that you will accept.
For each of these types, you are going to have to use different techniques to verify that they are valid examples of that format.
There are two related questions:
Does it look roughly like it might be the right type? (For JPEG, you could check the headers, as you mentioned. For many Unix-based formats, you could check the "magic cookie".)
Is it actually a valid example of that type (e.g. For any XML-like format, you could validate against a DTD.)
I think that, for each format, you should ask separate questions for each one, because the answer will be quite different for PDFs compared to ZIP files.
I used mime_content_type that is compatible with PHP 5.2, because I can use neither Fileinfo (it requires PHP 5.3) nor system(), that is disabled by my provider.
For example, I check if a file is a text file so:
if (strcmp(substr(mime_content_type($f),0,4),"text")==0) { ... }
You can see a full example in my "PHP Directory and Subdirectory Listener & File Viewer and Downloader" at:
http://www.galgani.it/software_repository/index.php
if(isset($_FILES['uploaded'])) {
$temp = explode(".", $_FILES["uploaded"]["name"]);
$allowedExts = array("txt","htm","html","php","css","js","json","xml","swf","flv","pdf","psd","ai","eps","eps","ps","doc","rtf","ppt","odt","ods");
$extension = end($temp);
if( in_array($extension, $allowedExts)) {
//code....
} else {
echo "Error,not Documentum type...";
}
}
Here is the function file_mime_type from iZend:
function file_mime_type($file, $encoding=true) {
$mime=false;
if (function_exists('finfo_file')) {
$finfo = finfo_open(FILEINFO_MIME);
$mime = finfo_file($finfo, $file);
finfo_close($finfo);
}
else if (substr(PHP_OS, 0, 3) == 'WIN') {
$mime = mime_content_type($file);
}
else {
$file = escapeshellarg($file);
$cmd = "file -iL $file";
exec($cmd, $output, $r);
if ($r == 0) {
$mime = substr($output[0], strpos($output[0], ': ')+2);
}
}
if (!$mime) {
return false;
}
if ($encoding) {
return $mime;
}
return substr($mime, 0, strpos($mime, '; '));
}
For PHP>=5.3.0, you can use php's finfo_file(finfo_file) function to get the file infomation about the file.
For PHP<5.3.0, you can use your's system's file command to get the file information.
So just make it in one function,
var_dump(mime_type("wiki templete.txt")); // print string(10) "text/plain"
function mime_type($file_path)
{
if (function_exists('finfo_open')) {
$finfo = new finfo(FILEINFO_MIME_TYPE, null);
$mime_type = $finfo->file($file_path);
}
if (!$mime_type && function_exists('passthru') && function_exists('escapeshellarg')) {
ob_start();
passthru(sprintf('file -b --mime %s 2>/dev/null', escapeshellarg($file_path)), $return);
if ($return > 0) {
ob_end_clean();
$mime_type = null;
}
$type = trim(ob_get_clean());
if (!preg_match('#^([a-z0-9\-]+/[a-z0-9\-\.]+)#i', $type, $match)) {
$mime_type = null;
}
$mime_type = $match[1];
}
return $mime_type;
}
MimeTypes